Rootkit.

A rootkit is a set of tools or kernel/firmware components that give an attacker persistent, high-privilege access while concealing files, processes, registry keys, drivers, and network connections from defenders. Rootkits operate at different rings: user-mode (hooking APIs), kernel-mode (patching the kernel or system call table), bootkit (subverting the boot loader), and firmware (UEFI/BIOS), with deeper placement meaning greater stealth and survivability.

Three milestones illustrate the escalation. In 2005 the Sony BMG XCP copy-protection scandal exposed millions of consumer PCs when the CD software silently installed a rootkit that cloaked any file beginning with $sys$. In 2018 ESET documented LoJax, the first UEFI rootkit found in the wild — attributed to the Russia-linked Sednit/APT28 group — which rewrote the SPI flash so it survived OS reinstalls and disk swaps. In 2023 BlackLotus became the first UEFI bootkit to defeat Secure Boot on fully patched Windows 11, abusing CVE-2022-21894 ("Baton Drop") to disable BitLocker, HVCI, and Defender; it sold on forums for around $5,000.

Detection requires memory forensics, integrity/attestation checks, and offline scanning, since a live infected OS cannot be trusted to report on itself. Mitigations include UEFI Secure Boot with up-to-date revocation lists (DBX), signed-driver enforcement, TPM-based measured boot, and minimising kernel-mode software.

flowchart TB
  subgraph Stealth depth
    U[User-mode rootkit: API hooking] --> K[Kernel-mode: patch syscalls]
    K --> B[Bootkit: subvert boot loader]
    B --> F[Firmware/UEFI: SPI flash persistence]
  end
  F --> P[Survives OS reinstall and disk swap]